web UI fails to list secrets when the path contains a #*+[(\ character

[dupainaulevain]

Describe the bug

the web UI fails to list secrets when a component of the path contains a #*+[(\ character

• #some is not properly escaped and is a URL fragment
• *some empty list, no secret displayed
• +some empty list, no secret displayed
• [some empty list, no secret displayed
• (some empty list, no secret displayed
• \some is incorrectly translated into /some

To Reproduce

Steps to reproduce the behavior, using a live Vault server (not the -dev because the workaround will redirect to the page asking for the token) and the open parenthesis.

• vault kv put 'secret/(some/2' 3=4
• visit http://vaultserver:8200//ui/vault/secrets/secret

• click on the link to (some

• the secret (2) is not displayed

Expected behavior

The secret is displayed

Workaround

• manually replace ( with %28 in the URL

• the secret is displayed (notice the %28 in the page)

Environment:

Vault Server Version Vault v1.0.2
Vault CLI Version Vault v1.0.2 ('37a1dc9c477c1c68c022d2084550f25bf20cac33')
Server Operating System/Architecture: Debian GNU/Linux stretch amd64

[singuliere]

I'm not sure why it would only create a problem with the open parenthesis. There probably is a range of characters that trigger the same bug.

[singuliere]

for c in \( \! \" \# \$ \& \' \* \+ \, \@ \`  \{ \| \} \~ \[ \\ \] \^ \_ ; do vault kv put "secret/${c}some/2" 3=4 ; done

and trying each link shows:

• #some is not properly escaped and is a URL fragment
• *some empty list, no secret displayed
• +some empty list, no secret displayed
• [some empty list, no secret displayed
• (some empty list, no secret displayed
• \some is incorrectly translated into /some

[singuliere]

@meirish is this considered a bug? I'm not familiar with how labels are assigned :-)

[meirish]

@singuliere Yep, the linked PR (#6294) fixes it - just got around to checking it out yesterday. @dupainaulevain thanks for the report - I think we've also fixed it in a few other places in the UI as well.

[singuliere]

@meirish excellent,thanks!

[dupainaulevain]

@meirish do you think vault kv list fails when a path component has a trailing white space has the same root cause as this issue?

[meirish]

@dupainaulevain no they are separate, it looks like there's a PR with some discussion linked on that issue, I believe that behavior is intentional (and the UI mimics it in the web CLI)